Bug 1449728
| Summary: | LDAP to IPA migration doesn't work in master | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Nikhil Dehadrai <ndehadra> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sgoveas, tscherf |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.15.2-43.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 09:06:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jakub Hrozek
2017-05-10 14:17:57 UTC
master: * a5e134b22aa27ff6cd66a7ff47089788ebc098a1 IPA version: ipa-server-4.5.0-14.el7.x86_64 SSSD: sssd-1.15.2-43.el7.x86_64 1. Verified that LDAP user after migration is able to authenticate to MASTER. 2. Refer the output below for the test: :: [ LOG ] :: Migrate users with hashed passwords :: [ 06:51:30 ] :: EXECUTING: ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://bkr-hv03-guest26.testrelm.test:389 :: [ BEGIN ] :: Running 'echo Secret123 | ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://bkr-hv03-guest26.testrelm.test:389' ----------- migrate-ds: ----------- Migrated: user: puser1, puser2 group: accounting managers, hr managers, qa managers, pd managers, group1, group2 Failed user: Failed group: ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. :: [ PASS ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://bkr-hv03-guest26.testrelm.test:389' (Expected 0, got 0) :: [ BEGIN ] :: Verify migrated user puser1 does not have a keytab :: actually running 'verifyUserAttr puser1 "Kerberos keys available" False' :: [ 06:51:32 ] :: Value of Kerberos keys available for user puser1 is as expected: False :: [ PASS ] :: Verify migrated user puser1 does not have a keytab (Expected 0, got 0) :: [ BEGIN ] :: Verify migrated user puser2 does not have a keytab :: actually running 'verifyUserAttr puser2 "Kerberos keys available" False' :: [ 06:51:33 ] :: Value of Kerberos keys available for user puser2 is as expected: False :: [ PASS ] :: Verify migrated user puser2 does not have a keytab (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123 | kinit admin' Password for admin: :: [ PASS ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa user-find puser1' -------------- 1 user matched -------------- User login: puser1 Last name: User1 Home directory: /home/puser1 Login shell: /bin/bash Principal name: puser1 Principal alias: puser1 UID: 1001 GID: 1001 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Command 'ipa user-find puser1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa user-find puser2' -------------- 1 user matched -------------- User login: puser2 Last name: User2 Home directory: /home/puser2 Login shell: /bin/bash Principal name: puser2 Principal alias: puser2 UID: 1002 GID: 1002 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Command 'ipa user-find puser2' (Expected 0, got 0) '589519d2-cb87-4bef-bb22-73a0a69ab9a5' Migrate-users-with-hashed-passwords result: PASS :: [ LOG ] :: SSSD password migration with user1 :: [ BEGIN ] :: Running 'ssh_auth_success puser1 fo0m4nchU ibm-x3650m4-01-vm-04.testrelm.test' spawn ssh -q -o StrictHostKeyChecking=no -l puser1 ibm-x3650m4-01-vm-04.testrelm.test echo 'login successful' Password: Could not chdir to home directory /home/puser1: No such file or directory login successful :: [ PASS ] :: Authentication successful for puser1, as expected :: [ PASS ] :: Command 'ssh_auth_success puser1 fo0m4nchU ibm-x3650m4-01-vm-04.testrelm.test' (Expected 0, got 0) :: [ BEGIN ] :: Verify migrated user puser1 now has a keytab :: actually running 'verifyUserAttr puser1 "Kerberos keys available" True' :: [ 06:51:40 ] :: Value of Kerberos keys available for user puser1 is as expected: True :: [ PASS ] :: Verify migrated user puser1 now has a keytab (Expected 0, got 0) :: [ BEGIN ] :: Ensuring that kinit as puser1 worked :: actually running 'klist | grep puser1' Default principal: puser1 :: [ PASS ] :: Ensuring that kinit as puser1 worked (Expected 0, got 0) :: [ 06:51:40 ] :: Running kinit '7978fd51-eaa6-47a0-893b-c874acbbfbeb' SSSD-password-migration-with-user1 result: PASS :: [ LOG ] :: SSSD password migration user2 :: [ BEGIN ] :: Running 'ssh_auth_success puser2 Secret123 ibm-x3650m4-01-vm-04.testrelm.test' spawn ssh -q -o StrictHostKeyChecking=no -l puser2 ibm-x3650m4-01-vm-04.testrelm.test echo 'login successful' Password: Could not chdir to home directory /home/puser2: No such file or directory login successful :: [ PASS ] :: Authentication successful for puser2, as expected :: [ PASS ] :: Command 'ssh_auth_success puser2 Secret123 ibm-x3650m4-01-vm-04.testrelm.test' (Expected 0, got 0) :: [ BEGIN ] :: Verify migrated user puser2 now has a keytab :: actually running 'verifyUserAttr puser2 "Kerberos keys available" True' :: [ 06:51:45 ] :: Value of Kerberos keys available for user puser2 is as expected: True :: [ PASS ] :: Verify migrated user puser2 now has a keytab (Expected 0, got 0) :: [ BEGIN ] :: Ensuring that kinit as puser2 worked :: actually running 'klist | grep puser2' Default principal: puser2 :: [ PASS ] :: Ensuring that kinit as puser2 worked (Expected 0, got 0) :: [ 06:51:45 ] :: Running kinit '7c95a237-05a8-4199-aa23-edcdcb796b03' SSSD-password-migration-user2 result: PASS Thus on the basis of above observations, marking status of bug to "VERIFIED". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |